NSS open multiple NSS-Databses at once?

> thanks, but these facts i know. I don't want top let multiple
> applications open one Database, i want to open multiple different
> Mozilla databases, in the old standard format, with one (my)
> application.
>
> I tried to use the NSS_Init functions. These works with openening one
> database, but when i open a second one the whole application
> crashes,so that's why i asked the question and may be get some
> working example c++ code?
>

> On 01/10/2017 10:18 AM, Opa114 wrote:
> > thanks, but these facts i know.
> > I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
> >
> > I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
> 1) Where are you crashing (it's not expected to work, but I don't expect
> a crash because you called NSS_Init again).
>
> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
>
> You can call that multiple times.
> Once the database is opened any of the NSS find functions will find all
> the certs in both databases. The slot returned from SECOMD_OpenUserDB
> can be used in functions that take a slot to narrow the operations just
> to that particular database.
>
> To NSS each database will look basically like a smart card.
>
> When you are through with that database you can use SECMOD_CloseUserDB()
>
> bob

> Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
>> On 01/10/2017 10:18 AM, Opa114 wrote:
>>> thanks, but these facts i know.
>>> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
>>>
>>> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
>> 1) Where are you crashing (it's not expected to work, but I don't expect
>> a crash because you called NSS_Init again).
>>
>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>>
>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
>>
>> You can call that multiple times.
>> Once the database is opened any of the NSS find functions will find all
>> the certs in both databases. The slot returned from SECOMD_OpenUserDB
>> can be used in functions that take a slot to narrow the operations just
>> to that particular database.
>>
>> To NSS each database will look basically like a smart card.
>>
>> When you are through with that database you can use SECMOD_CloseUserDB()
>>
>> bob
>
> thanks for reply. Here are first some little code of which did not work, that means it crashes:
>
> functionLoadFirefox() {
> SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> NSS_Shutdown();
> }
>
> functionLoadThunderbird() {
> SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> NSS_Shutdown();
> }
>
> So these are my two functions in which i opened and clos the databases and retrieve the certificates.

> On 01/10/2017 01:40 PM, John Dennis wrote:
>> On 01/10/2017 04:23 PM, Robert Relyea wrote:
>>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>>
>> Bob, is SECMOD_OpenUserDB new?
>>
> No, it's been around for quite some time.
>
>
> bob
>

> On 01/10/2017 02:07 PM, Opa114 wrote:
> > Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
> >> On 01/10/2017 10:18 AM, Opa114 wrote:
> >>> thanks, but these facts i know.
> >>> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
> >>>
> >>> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
> >> 1) Where are you crashing (it's not expected to work, but I don't expect
> >> a crash because you called NSS_Init again).
> >>
> >> 2) To open additional databases you want to use SECMOD_OpenUserDB:
> >>
> >> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
> >>
> >> You can call that multiple times.
> >> Once the database is opened any of the NSS find functions will find all
> >> the certs in both databases. The slot returned from SECOMD_OpenUserDB
> >> can be used in functions that take a slot to narrow the operations just
> >> to that particular database.
> >>
> >> To NSS each database will look basically like a smart card.
> >>
> >> When you are through with that database you can use SECMOD_CloseUserDB()
> >>
> >> bob
> >
> > thanks for reply. Here are first some little code of which did not work, that means it crashes:
> >
> > functionLoadFirefox() {
> > SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
> > ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> > NSS_Shutdown();
> > }
> >
> > functionLoadThunderbird() {
> > SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
> > ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> > NSS_Shutdown();
> > }
> >
> > So these are my two functions in which i opened and clos the databases and retrieve the certificates.
> So the certs you got from the first call is likely preventing
> NSS_Shutdown from completing. The certs hold references to the
> respective slots. Those references prevent NSS_Shutdown from closing
> completely. The will prevent the second NSS_Init from succeeding, so you
> probably crash in your second shutdown. You can detect this happened by
> looking at the return value from NSS_Shutdown().
> >
> > --> 2) To open additional databases you want to use SECMOD_OpenUserDB
> > So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB?
> You can either use NSS_Init with no database and then call
> SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database
> and then call SECMOD_OpenUserDB with the other.
> >
> > --> Once the database is opened any of the NSS find functions will find all the certs in both databases
> > But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible?
> The slot the database can be found in the cert->slot entry, but this
> will only give you ONE of the slots the cert lives in. If a cert exists
> in both databases, it will have a single entry on the list and be
> "somewhat" random which slot is listed (If you open one database with
> NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened
> with SECMOD_OpenUserDB() will be the slot that shows up.
>
> To fix this issue, there's a function called PK11_GetAllSlotsForCert()
> which returns a slotList and will return all the slots that hold this
> cert. The slots map one for one to the databases you opened (or any
> smart cards you have loaded). You can control the 'tokenName' of each
> slot with the string arguments you pass to SECMOD_OpenUserDB(), and you
> can get the token name with PK11_GetTokenName() on each slot on the list..
>
> You could also use PK11_ListCertsInSlot() which takes a slot
> (SECMOD_OpenUserDB() will return a slot for you) and lists only those
> certs in that slot.
>
> Be sure to free all these things once you are through with them, or your
> shutdown will fail at the end again.
>
>
> bob

> Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea:
>> On 01/10/2017 02:07 PM, Opa114 wrote:
>>> Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
>>>> On 01/10/2017 10:18 AM, Opa114 wrote:
>>>>> thanks, but these facts i know.
>>>>> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
>>>>>
>>>>> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
>>>> 1) Where are you crashing (it's not expected to work, but I don't expect
>>>> a crash because you called NSS_Init again).
>>>>
>>>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>>>>
>>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
>>>>
>>>> You can call that multiple times.
>>>> Once the database is opened any of the NSS find functions will find all
>>>> the certs in both databases. The slot returned from SECOMD_OpenUserDB
>>>> can be used in functions that take a slot to narrow the operations just
>>>> to that particular database.
>>>>
>>>> To NSS each database will look basically like a smart card.
>>>>
>>>> When you are through with that database you can use SECMOD_CloseUserDB()
>>>>
>>>> bob
>>>
>>> thanks for reply. Here are first some little code of which did not work, that means it crashes:
>>>
>>> functionLoadFirefox() {
>>> SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
>>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
>>> NSS_Shutdown();
>>> }
>>>
>>> functionLoadThunderbird() {
>>> SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
>>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
>>> NSS_Shutdown();
>>> }
>>>
>>> So these are my two functions in which i opened and clos the databases and retrieve the certificates.
>> So the certs you got from the first call is likely preventing
>> NSS_Shutdown from completing. The certs hold references to the
>> respective slots. Those references prevent NSS_Shutdown from closing
>> completely. The will prevent the second NSS_Init from succeeding, so you
>> probably crash in your second shutdown. You can detect this happened by
>> looking at the return value from NSS_Shutdown().
>>>
>>> --> 2) To open additional databases you want to use SECMOD_OpenUserDB
>>> So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB?
>> You can either use NSS_Init with no database and then call
>> SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database
>> and then call SECMOD_OpenUserDB with the other.
>>>
>>> --> Once the database is opened any of the NSS find functions will find all the certs in both databases
>>> But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible?
>> The slot the database can be found in the cert->slot entry, but this
>> will only give you ONE of the slots the cert lives in. If a cert exists
>> in both databases, it will have a single entry on the list and be
>> "somewhat" random which slot is listed (If you open one database with
>> NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened
>> with SECMOD_OpenUserDB() will be the slot that shows up.
>>
>> To fix this issue, there's a function called PK11_GetAllSlotsForCert()
>> which returns a slotList and will return all the slots that hold this
>> cert. The slots map one for one to the databases you opened (or any
>> smart cards you have loaded). You can control the 'tokenName' of each
>> slot with the string arguments you pass to SECMOD_OpenUserDB(), and you
>> can get the token name with PK11_GetTokenName() on each slot on the list..
>>
>> You could also use PK11_ListCertsInSlot() which takes a slot
>> (SECMOD_OpenUserDB() will return a slot for you) and lists only those
>> certs in that slot.
>>
>> Be sure to free all these things once you are through with them, or your
>> shutdown will fail at the end again.
>>
>>
>> bob
>
> thanks again for the detailed explanation, that helps me a lot - many thanks!
>
> --> So the certs you got from the first call is likely preventing
> NSS_Shutdown from completing.....
> So when i free the used stuff i can close the database correctly, so that i can open the second one. If i can close the first one correctly and NSS shuts down i should be able to open the second one, too.
> Can you give me some more details to my piece of code or in general how to free the things correctly?

> On 01/11/2017 03:21 AM, Opa114 wrote:
> > Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea:
> >> On 01/10/2017 02:07 PM, Opa114 wrote:
> >>> Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
> >>>> On 01/10/2017 10:18 AM, Opa114 wrote:
> >>>>> thanks, but these facts i know.
> >>>>> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
> >>>>>
> >>>>> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
> >>>> 1) Where are you crashing (it's not expected to work, but I don't expect
> >>>> a crash because you called NSS_Init again).
> >>>>
> >>>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
> >>>>
> >>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
> >>>>
> >>>> You can call that multiple times.
> >>>> Once the database is opened any of the NSS find functions will find all
> >>>> the certs in both databases. The slot returned from SECOMD_OpenUserDB
> >>>> can be used in functions that take a slot to narrow the operations just
> >>>> to that particular database.
> >>>>
> >>>> To NSS each database will look basically like a smart card.
> >>>>
> >>>> When you are through with that database you can use SECMOD_CloseUserDB()
> >>>>
> >>>> bob
> >>>
> >>> thanks for reply. Here are first some little code of which did not work, that means it crashes:
> >>>
> >>> functionLoadFirefox() {
> >>> SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
> >>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> >>> NSS_Shutdown();
> >>> }
> >>>
> >>> functionLoadThunderbird() {
> >>> SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
> >>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> >>> NSS_Shutdown();
> >>> }
> >>>
> >>> So these are my two functions in which i opened and clos the databases and retrieve the certificates.
> >> So the certs you got from the first call is likely preventing
> >> NSS_Shutdown from completing. The certs hold references to the
> >> respective slots. Those references prevent NSS_Shutdown from closing
> >> completely. The will prevent the second NSS_Init from succeeding, so you
> >> probably crash in your second shutdown. You can detect this happened by
> >> looking at the return value from NSS_Shutdown().
> >>>
> >>> --> 2) To open additional databases you want to use SECMOD_OpenUserDB
> >>> So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB?
> >> You can either use NSS_Init with no database and then call
> >> SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database
> >> and then call SECMOD_OpenUserDB with the other.
> >>>
> >>> --> Once the database is opened any of the NSS find functions will find all the certs in both databases
> >>> But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible?
> >> The slot the database can be found in the cert->slot entry, but this
> >> will only give you ONE of the slots the cert lives in. If a cert exists
> >> in both databases, it will have a single entry on the list and be
> >> "somewhat" random which slot is listed (If you open one database with
> >> NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened
> >> with SECMOD_OpenUserDB() will be the slot that shows up.
> >>
> >> To fix this issue, there's a function called PK11_GetAllSlotsForCert()
> >> which returns a slotList and will return all the slots that hold this
> >> cert. The slots map one for one to the databases you opened (or any
> >> smart cards you have loaded). You can control the 'tokenName' of each
> >> slot with the string arguments you pass to SECMOD_OpenUserDB(), and you
> >> can get the token name with PK11_GetTokenName() on each slot on the list..
> >>
> >> You could also use PK11_ListCertsInSlot() which takes a slot
> >> (SECMOD_OpenUserDB() will return a slot for you) and lists only those
> >> certs in that slot.
> >>
> >> Be sure to free all these things once you are through with them, or your
> >> shutdown will fail at the end again.
> >>
> >>
> >> bob
> >
> > thanks again for the detailed explanation, that helps me a lot - many thanks!
> >
> > --> So the certs you got from the first call is likely preventing
> > NSS_Shutdown from completing.....
> > So when i free the used stuff i can close the database correctly, so that i can open the second one. If i can close the first one correctly and NSS shuts down i should be able to open the second one, too.
> > Can you give me some more details to my piece of code or in general how to free the things correctly?
>
> Yes, you have to make sure NSS_Shutdown*() returns without an error, if
> it doesn't the next NSS_init* won't work. You can test for whether NSS
> is still in an initialized state with  NSS_IsInitialized(). If NSS does
> not shutdown successfully it's because of dangling references, finding
> out who is holding on to these is the tricky part. Calling
> NSS_DumpCertificateCacheInfo() *may* give you enough addition
> information to figure that out. In the past I've had to resort to
> running the process under GDB and step through code and data structures
> to figure it out. How hard this is is really a reflection of the
> complexity of your application code. In our case it was pretty complex.
> If your code is simple and clean it may be a total non-issue, YMMV.
>
> >
> > So if it will be better to open the two or more databases but successively and not at the same time as i wanted to do it. Would this be the better working solution. The only thing is that i then must reopen and shutdown the databses multiple times if needed.
>
> Yes, it's better for successive single databases than multiple
> simultaneous IMHO.
>
> > And did i understand it right, that i can use SECMOD_OpenUserDB() and SECMOD_CloseUserDB() to open and close the databases instead of using NSS_Init() and NSS_Shutdown()? The SECMOD-functions do call them internal or? Or does it not matter which of the functions i use?
> >
> > --> ... if you try to trust one CA in one DB/slot and not trust it in another DB/slot, you won't actually be able to do that
> > This is extremely bad, because i have to maybe change the Trust-Status of some Certificates.
> >
> > So in conclusion for my needs it would be the way to open each database separately and successively?
> >
>
>
> --
> John